[Openstack-operators] Liberty Setup - Can't ping Demo Router
Christopher Hull
chrishull42 at gmail.com
Wed Mar 9 17:22:27 UTC 2016
Ah! I CAN ping and ssh to a Cirros instance on the Public net. So this
may just be a permissions issue or something. hmmm. Wonder why I can't
ping the router.
[root at maersk src]# ssh root at 172.22.10.12
The authenticity of host '172.22.10.12 (172.22.10.12)' can't be established.
RSA key fingerprint is 6f:90:ef:16:20:5a:b6:81:33:c1:9e:ba:2b:47:cd:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.22.10.12' (RSA) to the list of known hosts.
Please login as 'cirros' user, not as root
^CConnection to 172.22.10.12 closed.
[root at maersk src]# ping 172.22.10.12
PING 172.22.10.12 (172.22.10.12) 56(84) bytes of data.
64 bytes from 172.22.10.12: icmp_seq=1 ttl=64 time=0.081 ms
64 bytes from 172.22.10.12: icmp_seq=2 ttl=64 time=0.097 ms
64 bytes from 172.22.10.12: icmp_seq=3 ttl=64 time=0.115 ms
64 bytes from 172.22.10.12: icmp_seq=4 ttl=64 time=0.096 ms
AND :-)
[root at maersk src]# ssh cirros at 172.22.10.12
$ ping google.com
PING google.com (216.58.216.14): 56 data bytes
64 bytes from 216.58.216.14: seq=0 ttl=54 time=34.185 ms
64 bytes from 216.58.216.14: seq=1 ttl=54 time=32.834 ms
64 bytes from 216.58.216.14: seq=2 ttl=54 time=32.875 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 32.834/33.298/34.185 ms
$ whoami
cirros
$ ifconfig
eth0 Link encap:Ethernet HWaddr FA:16:3E:F1:BE:6F
inet addr:172.22.10.12 Bcast:172.22.10.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fef1:be6f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:860 errors:0 dropped:0 overruns:0 frame:0
TX packets:254 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:73360 (71.6 KiB) TX bytes:28415 (27.7 KiB)
- Christopher T. Hull
333 Orchard Ave, Sunnyvale CA. 94085
(415) 385 4865
chrishull42 at gmail.com
http://chrishull.com
On Wed, Mar 9, 2016 at 9:06 AM, Christopher Hull <chrishull42 at gmail.com>
wrote:
>
> Hi all;
> Following the Neutron (Network Option 2 setup) instructions in Liberty. I
> can't ping my demo router. However, I do recall there are new security
> constraints that might prevent this in Liberty. Do I need to somehow
> allow ICMP?
>
> Here's what I did.
>
>
>
> ===========================================
> Create virtual networks
>
> http://docs.openstack.org/liberty/install-guide-rdo/launch-instance.html#create-virtual-networks
>
> ===========================================
> Create Public Provider Network
>
>
> http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-public.html
>
>
> [root at maersk src]# source admin-openrc.sh
> [root at maersk src]# neutron net-create public --shared
> --provider:physical_network public \
> > --provider:network_type flat
> Created a new network:
> +---------------------------+--------------------------------------+
> | Field | Value |
> +---------------------------+--------------------------------------+
> | admin_state_up | True |
> | id | be6e920a-51aa-4293-bb95-7ac38aab9df6 |
> | mtu | 0 |
> | name | public |
> | port_security_enabled | True |
> | provider:network_type | flat |
> | provider:physical_network | public |
> | provider:segmentation_id | |
> | router:external | False |
> | shared | True |
> | status | ACTIVE |
> | subnets | |
> | tenant_id | fdf3f98a9b0c4e9e94603d8a84ea41a8 |
> +---------------------------+--------------------------------------+
> [root at maersk src]#
>
>
>
>
> --- Create a subnet on the network:
>
> Replace START_IP_ADDRESS and END_IP_ADDRESS with the first and last IP
> address of the range within
> the subnet that you want to allocate for instances. This range must not
> include any
> existing active IP addresses.
>
> Example
> neutron subnet-create public 203.0.113.0/24 --name public \
> --allocation-pool start=203.0.113.101,end=203.0.113.200 \
> --dns-nameserver 8.8.4.4 --gateway 203.0.113.1
>
> [root at maersk src]# cat /etc/resolv.conf
> ; generated by /usr/sbin/dhclient-script
> search attlocal.net
> nameserver 172.22.10.254
>
> cat ifcfg-enp3s0
> GATEWAY=172.22.10.254
> DNS1=172.22.10.254
>
> neutron subnet-create public 172.22.10.0/24 --name public \
> --allocation-pool start=172.22.10.10,end=172.22.10.90 \
> --dns-nameserver 172.22.10.254 --gateway 172.22.10.254
>
> Created a new subnet:
> +-------------------+--------------------------------------------------+
> | Field | Value |
> +-------------------+--------------------------------------------------+
> | allocation_pools | {"start": "172.22.10.10", "end": "172.22.10.90"} |
> | cidr | 172.22.10.0/24 |
> | dns_nameservers | 172.22.10.254 |
> | enable_dhcp | True |
> | gateway_ip | 172.22.10.254 |
> | host_routes | |
> | id | f227734a-eca3-4472-81f6-620e1bf1fac9 |
> | ip_version | 4 |
> | ipv6_address_mode | |
> | ipv6_ra_mode | |
> | name | public |
> | network_id | be6e920a-51aa-4293-bb95-7ac38aab9df6 |
> | subnetpool_id | |
> | tenant_id | fdf3f98a9b0c4e9e94603d8a84ea41a8 |
> +-------------------+--------------------------------------------------+
>
> ===========================================
> Create the private project network
>
> http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-private.html
>
>
> source demo-openrc.sh
>
> neutron net-create private
> Created a new network:
> +-----------------------+--------------------------------------+
> | Field | Value |
> +-----------------------+--------------------------------------+
> | admin_state_up | True |
> | id | 28ca326a-8443-4c1c-b288-48920a1eefbe |
> | mtu | 0 |
> | name | private |
> | port_security_enabled | True |
> | router:external | False |
> | shared | False |
> | status | ACTIVE |
> | subnets | |
> | tenant_id | 7813be77b1de4196b1c6b77006afa21c |
> +-----------------------+--------------------------------------+
> [root at maersk src]# neutron subnet-create private 192.168.10.0/24 \
> > --name private --dns-nameserver 172.22.10.254 --gateway 192.168.10.1
> Created a new subnet:
> +-------------------+----------------------------------------------------+
> | Field | Value |
> +-------------------+----------------------------------------------------+
> | allocation_pools | {"start": "192.168.10.2", "end": "192.168.10.254"} |
> | cidr | 192.168.10.0/24 |
> | dns_nameservers | 172.22.10.254 |
> | enable_dhcp | True |
> | gateway_ip | 192.168.10.1 |
> | host_routes | |
> | id | eb5550e2-4de5-4ca5-9d7e-9d6ffe86ce92 |
> | ip_version | 4 |
> | ipv6_address_mode | |
> | ipv6_ra_mode | |
> | name | private |
> | network_id | 28ca326a-8443-4c1c-b288-48920a1eefbe |
> | subnetpool_id | |
> | tenant_id | 7813be77b1de4196b1c6b77006afa21c |
> +-------------------+----------------------------------------------------+
>
>
>
>
>
>
> ====
> Create a router
> ====
>
> Private project networks connect to public provider networks using a
> virtual router.
> Each router contains an interface to at least one private project network
> and a gateway
> on a public provider network.
>
> source admin
>
>
> [root at maersk src]# source admin-openrc.sh
> [root at maersk src]# neutron net-update public --router:external
> Updated network: public
> [root at maersk src]# source demo-openrc.sh
> [root at maersk src]# neutron router-create router
> Created a new router:
> +-----------------------+--------------------------------------+
> | Field | Value |
> +-----------------------+--------------------------------------+
> | admin_state_up | True |
> | external_gateway_info | |
> | id | 52ca91cb-df23-4593-bb95-ea9f1fc33e99 |
> | name | router |
> | routes | |
> | status | ACTIVE |
> | tenant_id | 7813be77b1de4196b1c6b77006afa21c |
> +-----------------------+--------------------------------------+
> [root at maersk src]# neutron router-interface-add router private
> Added interface 5b25c4df-0c83-4ef2-bed6-6e854cf66af6 to router router.
> [root at maersk src]# neutron router-gateway-set router public
> Set gateway for router router
> [root at maersk src]# source admin-openrc.sh
> [root at maersk src]# ip netns
> qrouter-52ca91cb-df23-4593-bb95-ea9f1fc33e99 (id: 2)
> qdhcp-28ca326a-8443-4c1c-b288-48920a1eefbe (id: 1)
> qdhcp-be6e920a-51aa-4293-bb95-7ac38aab9df6 (id: 0)
> [root at maersk src]# neutron router-port-list router
>
> +--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+
> | id | name | mac_address |
> fixed_ips
> |
>
> +--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+
> | 5b25c4df-0c83-4ef2-bed6-6e854cf66af6 | | fa:16:3e:d5:62:14 |
> {"subnet_id": "eb5550e2-4de5-4ca5-9d7e-9d6ffe86ce92", "ip_address":
> "192.168.10.1"} |
> | d1dfcc09-9da6-4366-8080-c73d48286036 | | fa:16:3e:b7:d2:22 |
> {"subnet_id": "f227734a-eca3-4472-81f6-620e1bf1fac9", "ip_address":
> "172.22.10.11"} |
>
> +--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+
> [root at maersk src]# ping -c 4 172.22.10.11
> PING 172.22.10.11 (172.22.10.11) 56(84) bytes of data.
> From 172.22.10.99 icmp_seq=1 Destination Host Unreachable
> From 172.22.10.99 icmp_seq=2 Destination Host Unreachable
> From 172.22.10.99 icmp_seq=3 Destination Host Unreachable
> From 172.22.10.99 icmp_seq=4 Destination Host Unreachable
>
> --- 172.22.10.11 ping statistics ---
> 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 2999ms
> pipe 4
> [root at maersk src]#
>
>
>
> ===== Config info.
>
> I set LinuxBridgeAgent.ini linux_bridge physical_interface_mappings to
> public:enp3s0 as this is what shows up for "eth0" when I ifconfig. Is
> this correct?
>
>
> [root at maersk src]# ./pluto.py show -p /etc ml2_conf.ini l3_agent.ini
> plugin.ini linuxbridge_agent.ini
> +-------------------+----------------------+--------------------------+
> | ml2_conf: Section | Key | Value |
> +-------------------+----------------------+--------------------------+
> | ml2 | extension_drivers | port_security |
> | ml2 | mechanism_drivers | linuxbridge,l2population |
> | ml2 | tenant_network_types | vxlan |
> | ml2 | type_drivers | flat,vlan,vxlan |
> | ml2_type_flat | flat_networks | public |
> | ml2_type_vxlan | vni_ranges | 1:1000 |
> | securitygroup | enable_ipset | True |
> +-------------------+----------------------+--------------------------+
>
> +-------------------+--------------------------+-----------------------------------------------------+
> | l3_agent: Section | Key |
> Value |
>
> +-------------------+--------------------------+-----------------------------------------------------+
> | DEFAULT | external_network_bridge
> | |
> | DEFAULT | verbose |
> True |
> | DEFAULT | interface_driver |
> neutron.agent.linux.interface.BridgeInterfaceDriver |
>
> +-------------------+--------------------------+-----------------------------------------------------+
> +-----------------+----------------------+--------------------------+
> | plugin: Section | Key | Value |
> +-----------------+----------------------+--------------------------+
> | ml2 | extension_drivers | port_security |
> | ml2 | mechanism_drivers | linuxbridge,l2population |
> | ml2 | tenant_network_types | vxlan |
> | ml2 | type_drivers | flat,vlan,vxlan |
> | ml2_type_flat | flat_networks | public |
> | ml2_type_vxlan | vni_ranges | 1:1000 |
> | securitygroup | enable_ipset | True |
> +-----------------+----------------------+--------------------------+
>
> +----------------------------+-----------------------------+--------------------------------------------------------------+
> | linuxbridge_agent: Section | Key |
> Value |
>
> +----------------------------+-----------------------------+--------------------------------------------------------------+
> | linux_bridge | physical_interface_mappings |
> public:enp3s0 |
> | vxlan | l2_population |
> True |
> | vxlan | local_ip |
> 172.22.10.99 |
> | vxlan | enable_vxlan |
> True |
> | agent | prevent_arp_spoofing |
> True |
> | securitygroup | firewall_driver |
> neutron.agent.linux.iptables_firewall.IptablesFirewallDriver |
> | securitygroup | enable_security_group |
> True |
>
> +----------------------------+-----------------------------+--------------------------------------------------------------+
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> - Christopher T. Hull
> 333 Orchard Ave, Sunnyvale CA. 94085
> (415) 385 4865
> chrishull42 at gmail.com
> http://chrishull.com
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160309/fbd1844c/attachment.html>
More information about the OpenStack-operators
mailing list